b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n  PERFORMANCE INDICATOR AUDIT:\n        PROCESSING TIME\n\n\n  October 2004       A-02-04-14072\n\n\n\n\nAUDIT REPORT\n\n\n\n\n                 .\n\x0c                                  Mission\n\nWe improve SSA programs and operations and protect them against fraud,\nwaste, and abuse by conducting independent and objective audits,\nevaluations, and investigations. We provide timely, useful, and reliable\ninformation and advice to Administration officials, the Congress, and the\npublic.\n\n                                 Authority\n\nThe Inspector General Act created independent audit and investigative\nunits, called the Office of Inspector General (OIG). The mission of the OIG,\nas spelled out in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and\n    proposed legislation and regulations relating to agency programs\n    and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed\n    of problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the\n    reviews.\n\n                                   Vision\n\nBy conducting independent and objective audits, investigations, and\nevaluations, we are agents of positive change striving for continuous\nimprovement in the Social Security Administration\'s programs, operations,\nand management and in our own office.\n\x0c                                     SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:   October 25, 2004                                                        Refer To:\n\nTo:     The Commissioner\n\nFrom:   Acting Inspector General\n\nSubject: Performance Indicator Audit: Processing Time (A-02-04-14072)\n\n\n\n        We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 16 of the Social\n        Security Administration\xe2\x80\x99s performance indicators established to comply with the\n        Government Performance and Results Act. The attached final report presents the\n        results of two of the performance indicators PwC reviewed. For the performance\n        indicators included in this audit, PwC\xe2\x80\x99s objectives were to:\n           \xe2\x80\xa2   Test critical controls over the data generation and calculation processes for the\n               specific performance indicator,\n           \xe2\x80\xa2   Assess the overall adequacy, accuracy, reasonableness, completeness, and\n               consistency of the performance indicator and supporting data, and\n           \xe2\x80\xa2   Determine if each performance indicator provides meaningful measurement of\n               the program and the achievement of its stated objectives.\n\n        This report contains the results of the audit for the following indicators:\n\n           \xe2\x80\xa2   Average Processing Time for Initial Disability Claims (Disability Insurance and\n               Supplemental Security Income)\n           \xe2\x80\xa2   Average Processing Time for Hearings\n\n        Please provide within 60 days a corrective action plan that addresses each\n        recommendation. If you wish to discuss the final report, please call me or have your\n        staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n        (410) 965-9700.\n\n\n\n\n                                                   S\n                                                   Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n        Attachment\n\x0cMEMORANDUM\n\nDate:     October 12, 2004\n\nTo:       Acting Inspector General\n\nFrom:     PricewaterhouseCoopers LLP\n\nSubject: Performance Indicator Audit: Processing Time (A-02-04-14072)\n\n\n\nThe Government Performance and Results Act (GPRA)1 of 1993 requires the\nSocial Security Administration (SSA) to develop performance indicators that\nassess the relevant service levels and outcomes of each program activity.2\nGPRA also calls for a description of the means employed to verify and validate\nthe measured values used to report on program performance.3\n\nTo enhance the practical use of performance information, the Office of\nManagement and Budget (OMB), in collaboration with other Federal agencies,\nhas developed the Program Assessment Rating Tool (PART), comprised of\nassessment criteria on program performance and management. The PART\nestablishes a high, "good government" standard of performance and will be used\nto rate programs in an open, public fashion.4\n\nOBJECTIVE\nFor each performance indicator included in this audit, our objectives were to:\n\n          1. Test critical controls over the data generation and calculation\n             processes for the specific performance indicator.\n          2. Assess the overall adequacy, accuracy, reasonableness,\n             completeness, and consistency of the performance indicator and\n             supporting data.\n          3. Determine if each performance indicator provides meaningful\n             measurement of the program and the achievement of its stated\n             objectives.\n\n1\n    Pub. L. No. 103-62, 107 Stat. 285.\n2\n    31 U.S.C. \xc2\xa7\xc2\xa7 1115(a)(4).\n3\n    31 U.S.C. \xc2\xa7\xc2\xa7 1115(a)(6).\n4\n    http://www.whitehouse.gov/omb/budintegration/part_assessing2004.html.\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                     1\n\x0cWe audited the following performance indicators as stated in the SSA Fiscal Year\n(FY) 2003 Performance and Accountability Report (PAR):\n\n         Performance                                                 FY 2003 Reported\n           Indicator                        FY 2003 Goal                  Results\n    Average Processing\n    Time for Initial Disability\n    Claims (Disability\n                                               104 Days                  97 Days\n    Insurance (DI) and\n    Supplemental Security\n    Income (SSI))\n    Average Processing\n    Time for Hearings                          352 Days                  344 Days\n    (Days)\n\nBACKGROUND\nSSA oversees two disability programs: the DI and SSI programs. The DI program,\nauthorized by Title II of the Social Security Act,5 provides income for eligible workers\nwho have qualifying disabilities and for eligible members of their families before those\nworkers reach retirement age.6 The SSI Program, authorized by Title XVI of the Social\nSecurity Act,7 was designed as a needs-based program to provide or supplement the\nincome of aged, blind, and/or disabled individuals with limited income and resources.8\n\nTo determine eligibility for both DI and SSI, the applicant must first file a disability claim\nwith SSA. This is typically accomplished through an appointment or walk-in visit to one\nof SSA\xe2\x80\x99s approximately 1,300 field offices (FO). Interviews are conducted by a claims\nrepresentative (CR) with the applicants via the telephone or in person to determine the\napplicant\xe2\x80\x99s non-medical eligibility on the basis of income, resources, and work history.\nBasic medical information concerning the disability, medical treatments, and\nidentification of treating sources is also obtained. The claims representative inputs the\napplicant\xe2\x80\x99s information into the Modernized Claims System (MCS) for DI claims or the\nModernized SSI Claims System (MSSICS) for SSI claims. A relatively minor number of\nDI and SSI cases are input through the SSA Claims Control System (SSACCS). The\nSSACCS is used to process claims that cannot be processed through MCS or MSSICS.\n\nUpon meeting the non-medical eligibility requirements, SSA sends the DI and SSI\nclaims file to a State Disability Determination Services (DDS) office. The DDS is\nresponsible for determining claimants\xe2\x80\x99 disabilities and ensuring that adequate evidence\n\n5\n    Social Security Act, sections 201-233 (42 U.S.C. 401-433).\n6\n    http://www.ssa.gov/OP_Home/ssact/title02/0200.htm.\n7\n    Social Security Act, sections 1601-1631 (42 U.S.C. 1381-1383).\n8\n    http://www.ssa.gov/OP_Home/ssact/title16b/1601.htm.\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                               2\n\x0cis available to support its determinations. Once the DDS makes a disability\ndetermination, it inputs the disability determination information into the National\nDisability Determination Service System (NDDSS). It then notifies the FO, and a letter\nis sent informing the claimant of the determination and of his/her appeal rights. The\nNDDSS transmits the disability determination data to the appropriate applicant\xe2\x80\x99s records\nwithin MCS and the SSI Records Maintenance System (SSIRMS). The closure date is\nused in the processing time calculation.\n\nApplicants whose initial disability determination is denied have 60 days from the date\nthey are notified of the determination to file for reconsideration. If the claim is denied on\nreconsideration, they have 60 days from the date they are notified to request a hearing\nbefore an administrative law judge (ALJ) of the Office of Hearings and Appeals (OHA).\n(For additional detail of this process, refer to the flowcharts in Appendix C.)\n\nRESULTS OF REVIEW\nAverage Processing Time for Initial Disability Claims (DI and SSI)\n\n         FY 2003 Goal: 104 days\n         Actual FY 2003 Performance: 97 days\n         SSA met the goal.9\n\nIndicator Background\n\nThe Work Management System (WMS) maintains claims data from MCS. The\nSSACCS maintains its own claims data. When a determination is made for a DI claim,\nthe Management Information Initial Claims Record (MIICR) reads the clearance\ninformation from the WMS or from the SSACCS. MIICR writes data for the completed\nclaim into the MIICR Master File, which creates a file of completed claims for the week.\nMIICR also creates a monthly file of completed claims and produces the monthly Field\nOffice Initial Disability Claims Report \xe2\x80\x93 Processing Time.\nWhen a determination is made for an SSI claim, an initial determination date is posted\nto the Supplemental Security Record (SSR) by the DDS, and claim data is forwarded to\nthe SSI Claims Exception Control System. This system ensures the claim data is\ncomplete before the data is sent to the SSI Claims Report (SSICR), which is a process\nthat compiles the claims data for inclusion in the Field Office Initial SSI Blind & Disabled\nClaims Report \xe2\x80\x93 Processing Time. (For additional detail of this process, refer to the\nflowcharts located in Appendix C.)\nSSA calculates the initial disability claims processing times (days) for inclusion in the\nPAR by obtaining monthly figures from the Field Office Initial Disability Claims Report \xe2\x80\x93\nProcessing Time and Field Office Initial SSI Blind & Disabled Claims Report \xe2\x80\x93\n\n\n9\n    SSA\xe2\x80\x99s FY 2003 PAR.\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                               3\n\x0cProcessing Time. These monthly figures are summed to obtain a grand total of both the\nTitle II and Title XVI processing time. (See the formulas below.)\n\n\n                                                           Sum of the 12 months (October\n  Total Processing Time for Title II                 =     2002 through September 2003)\n        and Title XVI claims                               processing times for Title II and\n                                                           Title XVI claims\n\nSimilar to the Title II and Title XVI processing time, the total number of claims\nprocessed is obtained per the Field Office Initial Disability Claims Report \xe2\x80\x93 Processing\nTime and Field Office Initial SSI Blind & Disabled Claims Report \xe2\x80\x93 Processing Time on\na monthly basis and manually recorded onto a spreadsheet. These monthly figures are\nsummed to obtain a total of both the Title II and Title XVI claims processed. (See the\nformula below.)\n\n\n                                                           Sum of the 12 months (October\nTotal Claims for Title II and Title XVI              =     2002 through September 2003) for\n                                                           Title II and Title XVI claims\n\nThe formulas within the spreadsheet calculate the average processing time for DI and\nSSI for the year. The formula divides the total processing time for Title II and Title XVI\nclaims by the total claims for Title II and Title XVI. (See the formula below.)\n\n                                                           Total Processing Time for Title II\n                                                           and Title XVI claims\n  Average Processing Time for DI\n                                                    =\n             and SSI\n                                                           Total Claims for Title II and Title XVI\n\n\nFindings\n\nWe were unable to recalculate the results of this performance indicator as reported in\nthe PAR. The detailed data used to calculate the Title XVI processing time was not\nreadily available. The data was not archived, and recreating the data for this audit was\nnot considered to be worth the cost. The Supplemental Security Income Processing\nTime (SSIPT) application replaced SSICR, the previous Title XVI processing time\napplication, on October 1, 2003, so the FY 2003 SSICR data was not retained. The\nTitle II detailed data was available for a rolling 56-day period, but similar to the Title XVI\ndata, it was not archived. Accordingly, we selected and recalculated the Title II\nprocessing time for the month of June 2003. We concluded that the Title II processing\ntime for the month of June 2003 was accurate.\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                                         4\n\x0cSSA had not documented policies and procedures related to the formal process to\ncollect, review and make available the performance indicator data to Agency\nmanagement. OMB Circulars A-123 and A-127 provide guidance for the retention of\nthis data. Documentation describing the automated and manual controls involved in the\ncalculation and reporting of the performance indicator do not exist.\n\nWe tested the logical access controls for the Title II and Title XVI mainframe datasets\nused to calculate the indicator and found that a total of 17 SSA employees and\ncontractors had the "All" access designation within the Top Secret security software to\nthese datasets. This level of access would allow users to create, delete and update any\nof the data (or datasets) contained within the datasets we reviewed without appropriate\nreview or approval of the changes. This level of access prevents SSA from ensuring\nthe integrity of this production data. Additionally, by allowing employees and\ncontractors to have the "All" access designation, SSA is not conforming to the principles\nof "least privileged access" or segregation of duties. SSA is in the process of\ncompleting the Standardized Security Profile Project (SSPP). The goal of this project is\naddress the principles of \xe2\x80\x9cleast privileged access.\xe2\x80\x9d\n\nAll of the source code for the SSICR processing system had not been maintained.\nTherefore, if a failure is encountered, it is not possible to review the entire source code\nto identify and correct the error. SSICR was replaced by SSIPT on October 1, 2004.\n\nAn audit trail for transactions processed through the SSACCS was not produced or\nreviewed. Therefore, claims entered through the normal application process may not be\ncorrectly processed. Claims data may be altered, lost, or misidentified during input and\nincorrect, inconsistent, or unreasonable data may be accepted as valid for both the\nprocessing of the claim and as it is included in the indicator calculation.\n\nThe Title II and Title XVI processing times were combined for purposes of reporting in\nthe PAR. Because processing times differ between the two programs, changes in the\nmix of cases may impact the combined processing time. Accordingly, if SSA chooses to\nreport these results together, they should disclose in the PAR the impact of changes in\nthe mix of cases on the combined processing time. This would result in a more\naccurate assessment of how the Agency is meeting its\xe2\x80\x99 goal to deliver high quality,\ncitizen-centered service.\n\nWe noted from a selection of 45 applications that 1 of the 45 Title XVI application dates\nwas not correctly input into the application date field within MSSICS. Specifically, the\nincorrect month was input into MSSICS. Data input errors from source documents may\nresult in inaccurate or untimely data used to calculate the processing time.\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                              5\n\x0cAverage Processing Time for Hearings (Days)\n\n         FY 2003 Goal: 352 days\n         Actual FY 2003 Performance: 344 days\n         SSA met the goal.10\n\nIndicator Background\n\nThe OHA administers the nationwide hearings and appeals program for SSA. OHA\nincludes a nationwide field organization staffed with ALJs who conduct hearings and\nmake decisions on appeals filed by claimants, their representatives, or providers-of-\nservice institutions under the Social Security Act.\n\nFollowing receipt of a request for a hearing (RH), the hearing office (HO) staff will\nconduct initial screening and case preparation that include the following tasks:\n\n             \xe2\x80\xa2   Acknowledge receipt of the RH.\n             \xe2\x80\xa2   Establish an HO case control record on the Hearing Office Tracking\n                 System (HOTS).\n             \xe2\x80\xa2   Determine if the RH is a valid request.\n             \xe2\x80\xa2   Determine if the RH was timely filed.\n             \xe2\x80\xa2   Determine if the HO has venue, i.e., if the claimant resides within the HO\'s\n                 service area.\n             \xe2\x80\xa2   Create an HO file.\n             \xe2\x80\xa2   Request the claim file from the FO if it has not been received.\n\nUpon completion of the above tasks, a hearing will be scheduled. The ALJ hearing\ngenerally includes the following:\n\n             \xe2\x80\xa2   Introductions.\n             \xe2\x80\xa2   Opening statement.\n             \xe2\x80\xa2   Oaths or affirmations.\n             \xe2\x80\xa2   Citation of the evidence.\n             \xe2\x80\xa2   Oral testimony.\n             \xe2\x80\xa2   Presentation of written or oral argument.\n             \xe2\x80\xa2   Closing statement.\n\nThe ALJ will complete a written decision unless the RH was not filed in a timely manner.\nThe written decision is the final decision or recommended decision depending on the\ncircumstances of the case. The ALJ updates HOTS to denote that a decision has been\nmade on the case. The decision is input into HOTS by the master docket clerk and\nmailed to the claimant. The mail date is the end date in the processing time calculation.\n\n10\n     SSA\xe2\x80\x99s FY 2003 PAR.\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                               6\n\x0cEach of the HOs provides the respective regional office with the total processing days\nand dispositions for inclusion in the combined regional processing time calculation. The\nHOs send this data through email as a dbase file. The regional offices combine each of\nthe hearing offices\' processing times to obtain the total processing time at the regional\nlevel and send this data through email as a dbase file to the national OHA. The national\nOHA combines the regional offices\xe2\x80\x99 data to obtain the overall processing time. (See the\nformulas below.)\n\n                                                           Sum of the 12 months (October\nTotal Processing Time for Hearings                    =    2002 through September 2003) of\n                                                           the hearing offices\xe2\x80\x99 processing time.\n\n\n                                                           Sum of the 12 months (October\n     Total Dispositions for Hearings                  =    2002 through September 2003) of\n                                                           dispositions for hearings.11\n\n\n\n                                                           Total Processing Time for Hearings\n     Average Processing Time for                  =                                                M\n              Hearings\n                                                           Total Dispositions for Hearings\n\nA Plan\nFindings\n\nWe were unable to recalculate the processing time reported in the PAR. The detailed\ndata used to calculate this performance indicator was not maintained or archived.\n\nSSA had not documented policies and procedures related to the formal process to\ncollect, review and make available the performance indicator data to Agency\nmanagement. OMB Circulars A-123 and A-127 provide guidance for the retention of\nperformance indicator data. Documentation describing the automated and manual\ncontrols involved in the calculation and reporting of the performance indicator do not\nexist.\n\nWe noted from a selection of 45 Medicare case files that 7 of 45 RH dates were not\ninput into the HOTS Medicare application correctly. Data input errors from source\ndocuments result in inaccurate or untimely data used in processing.\n\n11\n  Dispositions are defined as the number of hearing requests processed, including favorable and\nunfavorable decisions. Source: Office of Hearings and Appeals FY 2003 Report and Fourth Quarter\nReport, p. 3 and Electronic Key Workload Indicator Report, OHA Internal Hearing Office Tracking System\nand OHA Case Control System.\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                                           7\n\x0cDuring our testing, we noted that the HOTS application was replaced by the Case\nProcessing and Management System (CPMS). However, Medicare cases will continue\nto be processed through the HOTS application after the implementation of CPMS. The\ndata reported on the PAR will be reported from two different systems for FY 2004. We\nnoted the following weaknesses within the HOTS application:\n\n    \xe2\x80\xa2   Security incident reports cannot be produced to track the occurrence of\n        inappropriate access to the data.\n    \xe2\x80\xa2   The password parameters do not require a minimum password length, or require\n        change of password.\n    \xe2\x80\xa2   The password parameters are listed in clear text in the password file and are not\n        required to be alphanumeric.\n    \xe2\x80\xa2   User ids are not locked out after a set number of failed login attempts, and a\n        password history for the user is not maintained.\n    \xe2\x80\xa2   There are three students that have supervisor access to the HOTS application.\n        This level of access does not follow the least privileged access principle.\n    \xe2\x80\xa2   Claims entered into HOTS can be re-opened.\n    \xe2\x80\xa2   An audit trail is not maintained for the HOTS application.\n\nOHA at Falls Church, Virginia maintains a draft contingency plan which is being updated\nto address the current weaknesses. The plan has not been approved by SSA\nmanagement. In the event of an emergency, the OHA Falls Church, Virginia location\nmay not be able to recover its critical operations.\n\nOur review of the Windows 2000 system that HOTS resides on identified 28 security\nand compliance issues. This review was conducted in accordance with the baseline\nestablished by the SSA Risk Model, National Institute of Standards and Technology\n(NIST), and Defense Information Security Agency (DISA). There are 8 issues that were\ncontrary to the requirements of the SSA Risk Model and 20 other conditions that were\ncontrary to existing government guidelines from NIST and the DISA Windows 2000\nSecurity Checklist, version 3.1.11.\n\nRECOMMENDATIONS\nWe recommend SSA:\n\n    1. Maintain the detailed data used to calculate the performance indicator results\n       that are reported in the PAR and ensure this data is readily available for\n       examination in accordance with OMB Circulars A-123 and A-127.\n    2. Maintain documentation that describes how the performance indicator goals were\n       established, document the policies and procedures used to prepare and report\n       the results of the performance indicators, and keep a complete audit trail.\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                           8\n\x0cSpecific to the performance indicator, \xe2\x80\x9cAverage Processing Time for Initial Disability\nClaims,\xe2\x80\x9d we recommend SSA:\n\n    3. Ensure that SSA personnel do not have the ability, through inappropriate access,\n       to directly modify, create or delete the datasets used to calculate the results of\n       this indicator.\n    4. Maintain all source code for all applications used to calculate the performance\n       indicator.\n    5. Maintain an audit trail that captures the user id or terminal, date and time of the\n       transaction being processed. Policies and procedures should be created to\n       review the audit trail for inappropriate access to data or processing of\n       transactions.\n    6. Disclose the impact on the mix of Title II and Title XVI claims and its impact on\n       combined processing time results reported in the PAR.\n    7. Ensure the correct data is input into the Title XVI application.\n\nFor the recommendations stated below, SSA management should take corrective action\nover the HOTS system and ensure that these recommendations are addressed in the\nCPMS system. Specific to the performance indicator, \xe2\x80\x9cAverage Processing Time for\nHearings (Days),\xe2\x80\x9d we recommend SSA:\n\n   8. Ensure the correct data is input into the HOTS system.\n   9. Strengthen the security internal to the HOTS system to include security incident\n      reports to track inappropriate access to data.\n  10. Strengthen password parameters in HOTS to require users to change their\n      passwords every 60 days, to encrypt the passwords located in the user table, to\n      lockout a user after a set number of failed attempts, to create alphanumeric\n      passwords, and to maintain a password history.\n  11. Reserve supervisory access in HOTS as the highest level of access and be\n      granted on a least privileged basis.\n  12. Ensure claims that are required to be opened are logged and reviewed by\n      management.\n  13. Maintain an audit trail that captures the user id or terminal, date and time of the\n      transaction being processed. Policies and procedures should be created to\n      review the audit trail for inappropriate access to data or processing of\n      transactions.\n  14. Ensure that the contingency plan is completed and approved by management.\n  15. Ensure that Windows 2000 is configured to be in compliance with the SSA Risk\n      Model and government guidelines from NIST and the DISA Windows 2000\n      Security Checklist, version 3.1.11.\n\nAGENCY COMMENTS AND PwC RESPONSE\nThe Agency agreed with 10 of the 15 recommendations. In a general response\nunrelated to a specific recommendation, SSA stated that it disagreed with the\nconclusion that it had not documented polices and procedures related to the formal\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                             9\n\x0cprocess to collect and review performance indicator data, noting several manuals as\nsources of such documentation. We agree that SSA management has documented\nseveral technical and user manuals related to the use and processing of SSA\nmanagement information. However, SSA was unable to provide policies and\nprocedures related to the specific processes to collect, review, and provide data for\ncalculation of the performance indicators audited.\n\nIn disagreeing with recommendation 6, SSA stated that disclosing the impact of\ncombining Title II and Title XVI cases when measuring processing times for disability\nclaims is not always relevant to overall processing time and such a discussion would not\nbe appropriate for inclusion in the PAR. It added that it would report in the PAR when\nthe workload mix changes significantly enough to impact processing time overall. We\nbelieve that the differences between the two programs processing times are relevant\nand that the reader would be better informed if SSA disclosed the mix of Title II and Title\nXVI claims and its impact on combined processing time results reported in the PAR.\n\nIn disagreeing with recommendations 8 through 11, the Agency stated that HOTS has\nbeen replaced with CPMS, so the recommendations focused on strengthening HOTS\nare moot. Additionally, SSA stated that CPMS has implemented additional edits and\nthat it is controlled by Top Secret Security profiles, which help to ensure that CPMS\navoids the type of weaknesses noted in HOTS.\n\nHOTS was the focus of our audit work of the hearings processing time indicator since it\nwas the system used during our audit period. While CPMS will measure the majority of\nthe hearings claims in the future, HOTS will continue to be used in the near-term to\ntrack OHA\xe2\x80\x99s Medicare workload. Recognizing the results for this indicator will be\ncalculated using both HOTS and CPMS in the future, we believe that SSA management\nshould take corrective action to strengthen the HOTS system and ensure that these\nrecommendations are addressed in the CPMS system. SSA should take the steps\nnecessary to ensure that the data collected to measure and report on hearings\nprocessing time is accurate and properly secured.\n\nFinally, in agreeing with recommendation 15, SSA questioned whether it was required\nto adhere to the DISA standards. We recognize that there has not been a directive for\nnon-Department of Defense agencies to follow DISA standards. However, the DISA\nguidelines are government industry recognized best practices for securing information\nsystems environments. Accordingly, we recommend that SSA ensure that the Windows\n2000 environment is configured to be in compliance with the SSA Risk Model and\ngovernment guidelines from NIST and the DISA Windows 2000 Security Checklist,\nVersion 3.1.11.\n\nThe full text of the Agency\xe2\x80\x99s comments is in Appendix D.\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                             10\n\x0c                                                Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Process Flowcharts\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)\n\x0c                                                                  Appendix A\nAcronyms\n ALJ            Administrative Law Judge\n CE             Consultative Exam\n CPMS           Case Processing Management System\n CR             Claim Representative\n DDS            Disability Determination Services\n DI             Disability Insurance\n DISA           Defense Information Security Agency\n FO             Field Office\n FY             Fiscal Year\n GAO            Government Accountability Office\n GPRA           Government Performance and Results Act\n HO             Hearing Office\n HOTS           Hearing Office Tracking System\n MAR            Monthly Activity Report\n MBR            Master Beneficiary Record\n MCS            Modernized Claims System\n MIICR          Management Information Initial Claims Record\n MSSICS         Modernized Supplemental Security Income Claims Systems\n NDDSS          National Disability Determination Service System\n NIST           National Information Security Technology\n OHA            Office of Hearings and Appeals\n OMB            Office of Management and Budget\n OSM            Office of Strategic Management\n PAR            Performance and Accountability Report\n PART           Program Assessment Rating Tool\n RH             Request for Hearing\n SSA            Social Security Administration\n SSACCS         Social Security Administration Claims Control System\n SSI            Supplemental Security Income\n SSICR          Supplemental Security Income Claims Report\n SSIPT          Supplemental Security Income Processing Time\n SSIRMS         Supplemental Security Income Records Maintenance System\n SSR            Supplemental Security Record\n TSC            Tele-Service Center\n WMS            Work Management System\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)\n\x0c                                                                      Appendix B\nScope and Methodology\nWe updated our understanding of the Social Security Administration\xe2\x80\x99s (SSA)\nGovernment Performance and Results Act (GPRA) processes. This was completed\nthrough research and inquiry of SSA management. We also requested SSA to provide\nvarious documents regarding the specific programs being measured as well as the\nspecific measurement used to assess the effectiveness and efficiency of the related\nprogram.\n\nThrough inquiry, observation, and other substantive testing, including testing of source\ndocumentation, we performed the following, as applicable:\n\n    \xe2\x80\xa2   Reviewed prior SSA, Government Accountability Office, and other reports related\n        to SSA GPRA performance and related information systems.\n    \xe2\x80\xa2   Met with the appropriate SSA personnel to confirm our understanding of each\n        individual performance indicator.\n    \xe2\x80\xa2   Flowcharted the processes. (See Appendix C).\n    \xe2\x80\xa2   Tested key controls related to manual or basic computerized processes (e.g.,\n        spreadsheets, databases, etc.).\n    \xe2\x80\xa2   Conducted and evaluated tests of the automated and manual controls within and\n        surrounding each of the critical applications to determine whether the tested\n        controls were adequate to provide and maintain reliable data to be used when\n        measuring the specific indicator.\n    \xe2\x80\xa2   For those indicators with results that SSA determined using computerized data,\n        we assessed the completeness and accuracy of that data to determine the data\'s\n        reliability as it pertains to the objectives of the audit.\n    \xe2\x80\xa2   Identified and extracted data elements from relevant systems and obtained\n        source documents for detailed testing selections and analysis.\n    \xe2\x80\xa2   Identified attributes, rules, and assumptions for each defined data element or\n        source document.\n\nAs part of this audit, we documented our understanding, as conveyed to us by Agency\npersonnel, of the alignment of the Agency\xe2\x80\x99s mission, goals, objectives, processes, and\nrelated performance indicators. We analyzed how these processes interacted with\nrelated processes within SSA and the existing measurement systems. Our\nunderstanding of the Agency\xe2\x80\x99s mission, goals, objectives, and processes were used to\ndetermine if the performance indicators being used appear to be valid and appropriate\ngiven our understanding of SSA\xe2\x80\x99s mission, goals, objectives and processes. We\nfollowed all performance audit standards. In addition to the steps above, we specifically\nperformed the following to test the indicators included in this report:\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                          B-1\n\x0cAVERAGE PROCESSING TIME FOR INITIAL DISABILITY CLAIMS\n(DISABILITY INSURANCE AND SUPPLEMENTAL SECURITY INCOME)\n\n    \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n        accuracy and completeness of the data related to the following areas:\n             9 Ensured that the Date of Entitlement, Date of Filing, or Application Date\n                 were accurately posted to the Master Beneficiary Record (MBR) or\n                 Supplemental Security Record (SSR) by reviewing 45 initial disability\n                 insurance and supplemental security income applications.\n             9 Ensured that the Disability Decision Date was accurately posted to the\n                 MBR or SSR by reviewing 45 SSA 831-C3 forms within the case folders.\n             9 Observed the input of the Date of Entitlement, Date of Filing, or\n                 Application Date in the field office.\n             9 Observed the input of the closure date in the Disability Determination\n                 Services.\n    \xe2\x80\xa2   Used a programming specialist to determine the adequacy of the programming\n        logic used by SSA to calculate the processing time for the Title II and Title XVI\n        initial disability claims.\n    \xe2\x80\xa2   Recalculated the Title II processing time for June 2003 and compared it to the\n        Title II processing time reported that month.\n\nAVERAGE PROCESSING TIME FOR INITIAL HEARINGS (DAYS)\n\n    \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n        accuracy and completeness of the data related to the following areas:\n           9 Ensured that the request for hearing date and mail date were accurately\n              posted to the Hearings Office Tracking System (HOTS) by reviewing\n              45 Administrative Law Judge Medicare Case Folders for the request for\n              hearing date and 45 Medicare Transmittal of Decision or Dismissal by\n              Office of Hearings and Appeal located on form HA-505-1U3 for the mail\n              date.\n           9 Observed the input of request for hearing date and mail date in the\n              Medicare hearing office.\n           9 Completed application control reviews over HOTS.\n           9 Completed a general computer control review as it relates to HOTS.\n    \xe2\x80\xa2   Determined the adequacy of the programming logic used by SSA to calculate the\n        processing time for the hearings.\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                            B-2\n\x0c                                                                                                                                                                                                                                         Appendix C\n\nFlowchart of Average Processing Time for Initial Disability Claims (DI\nand SSI)\n                                                                                                                      C R in te rv ie w s\n                              C la im a n t c o n ta c ts                                                              c la im a n t v ia\n                                                                                                                                                          Is c la im a n t\n                              S S A v ia F O v is it,                    C a n C R in te rv ie w                     te le c la im o r in -                                                    D o e s c la im a n t\n       START                                                              c la im a n t to d a y ?\n                                                                                                        Yes                                             e lig ib le fo r T II     No                                       No               STOP\n                              m a il, o r p h o n e c a ll                                                       o ffic e a p p o in tm e n t,                                                 in s is t o n filin g ?\n                                                                                                                                                         a n d /o r T X V I\n                                 to F O o r T S C                                                                 firs t v e rify in g n o n -\n                                                                                                                    m e d ic a l is s u e s\n\n                                                                                   No                                                                                           Yes\n\n\n                                                                        S e t u p a te le c la im\n                                                                              o r in -o ffic e\n                                                                            a p p o in tm e n t\n\n\n\n\n                                                                                                        Yes\n\n\n                                                                                                                                              If p o s s ib le , m a k e\n     C o m p le te D I\n                                                                                                                                                a n d e n te r n o n -\n  a p p lic a tio n fo rm s                    R e v ie w n o n -                                  D e te rm in e                                                                         Is th is a n o n -                    A (T o p a g e\n                                                                                                                                                     m e d ic a l                                                        Yes\n    u s in g M C S o r                        m e d ic a l is s u e s                        e ffe c tiv e filin g d a te                                                                m e d ic a l d e n ia l?                    2)\n                                                                                                                                             d e te rm in a tio n in to\n         M S S IC S\n                                                                                                                                              M C S o r M S S IC S\n\n\n                                                                                                     No\n\n\n\n                                                                                           D D S in p u ts re c e ip t                       D D S g a th e rs a n d                                                                   D D S m akes a\n                                                                                                                                                                                            If m e d ic a l\n  C re a te m e d ic a l                                                                        of case on                                    re v ie w s m e d ic a l                                                             d e te rm in a tio n a n d\n                                           S e n d fo ld e r to                                                                                                                       in fo rm a tio n is n o t\n  fo ld e r w ith fo rm                                                                      N D D S S , w h ic h                            e v id e n c e in o rd e r                                                            e n te rs th e m e d ic a l\n                                                  DDS                                                                                                                                 s u ffic ie n t, a C E is\n       S S A -8 3 1                                                                          in te rfa c e s w ith                          to m a k e a m e d ic a l                                                               in fo rm a tio n in th e\n                                                                                                                                                                                            s c h e d u le d\n                                                                                              S S A s y s te m s                                d e te rm in a tio n                                                                       NDDSS\n\n\n\n\n                                                                                                                                                                                                                                        B (T o p a g e\n                                                                                                                                                                                                                                             2)\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                                                                                                                                                                                                     C-1\n\x0cFlowchart of Average Processing Time for\nInitial Disability Claims (DI and SSI) cont.\n                                                  DDS inputs\n                                                   medical\n   A From (Page\n                                               determination as\n        1)\n                                               reported on Form\n                                                   SSA-831\n\n\n                                              Claim is approved\n                                              or denied. Medical\n                                                 portion of the\n                                               determination is\n                                                 adjudicated.\n\n\n\n\n                                               Case is closed on\n                                                 NDDSS and a\n                                                determination is\n                                              transferred to SSA\n                                                    systems\n\n\n\n\n                                              Folder is sent back\n                                                    to FO\n\n\n\n\n  Adjudicate non-\n                                               CR input non-med\n medical portion of\n                            No                determination prior to\n claim via MCS or                            sending folder to DDS?\n     MSSICS\n\n\n\n\n                                                 Folder is filed\n\n\n\n\n                                                    C (Title\n     A (From                 B (Title II\n                                                     XVI to\n     page 1)                to page 3)\n                                                    page 3)\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)           C-2\n\x0cFlowchart of Average Processing Time for Initial Disability Claims\n(DI and SSI) cont.\n                                                                                                                                                                                                    C ( T it le\n       B ( T it le I I\n                                                                                                                                                                                                   X V I fro m\n    fro m p a g e 3 )\n                                                                                                                                                                                                    page 3)\n\n\n\n    M C S u p d a te s\n                                                               M I I C R w r it e s d a t a                                                                                                  S S R is u p d a t e d\n W M S . S S A -1 4 1 8        M IIC R r e a d s in fo .\n                                                                  f o r c o m p le t e d                                                                                                   w it h I D D a n d c la im\n (s c re e n ) u p d a te s    F ro m W M S a n d /o r\n                                                               c la im s in t o M I I C R                                                                                                   d a ta is r o u te d to\n    S S A C C S w it h               SSACCS                                                                                                                                                                                        ZCXM AS\n                                                                     M a s t e r F ile                                                                                                     E x c e p t io n C o n t r o l\n c la im in f o r m a t io n                                                                                                                                                                                                 R e c ir c u la t e s t h e\n                                                                                                                                                                                                                              d a t a u n t il in it ia l\n                                                                                                                                                                    Z C D U C IS                                                  c la im s a r e\n                                                               M I I C R E d it c r e a t e s                                                                     C o n ta in s IC                                                 c o m p le t e\n                                                                f ile o f c o m p le t e d                                                                   tr a n s a c tio n s fr o m\n                                                                   c la im s ( w e e k ly                                                                          S S I u p d a te\n                                                                           ru n )                                                                                  o p e r a t io n s                                           Z C S T A T S is\n                                                                                                                                                                                                                             g e n e ra te d w h e n\n                                                                                                                                                                                                                             E n d P r o c e s s in g\n                                                                     M IIC R C a lc                                                                                                                                           D a t e is p o s t e d /\n     M I I C R S w it c h                                                                                                                                                                                                           e n te re d\n                                                                        c o m p u te s\n  c r e a te s m o n th ly\n                                                                 p r o c e s s in g t im e\n f ile o f c o m p le t e d\n                                                                a n d d e t e r m in e s if\n           c la im s\n                                                                c r it e r ia h a s b e e n\n                                                                m e t ( m o n th ly r u n )\n                                                                                                                                                                                                                             Z S S I C P T M o n t h ly\n                                                                                                                                                                                                                            f ile o f E O L r e c o r d s\n                                                                 M IIC R S o rt s o rts                                                                                                                                          f o r d e liv e r y t o\n    E n d o f L in e                                                     d a ta b y                                                                                                                                                    S S IC R\n   P a r a s e le c t io n                                     c o m p o n e n t, o ffic e ,\n       R e p o rts                                              e tc . ( m o n th ly r u n )\n\n\n\n\n                                                                  M IIC R S u m m a ry                                                                                                                                        S S I C R T it le X V I\n                                                                p ro d u c e s a re c o rd                                                                                                                                       p r o c e s s in g\n                                                                   o f s u m m a r iz e d\n                                                                   num ber of days\n                                                                    a n d c o u n ts fo r\n                                                                  e a c h p r o c e s s in g\n                                                               t im e f o r e a c h o f f ic e\n\n\n\n\n                                 I n it ia l D is a b ilit y                                                                                                                                                                    E n d o f L in e\n                                                                                                                                                                             P r o c e s s in g T im e\n                                 C la im s R e p o r t -                                         GETRSDHI                                   G E T S S IC R                                                                     P a r a s e le c t io n\n                                                                                                                                                                                     R e p o rt\n                               P r o c e s s in g T im e s                                                                                                                                                                         R e p o rts\n\n\n\n\n                                                                                                                C a lc u la t io n o f\n                                                                                                               in it ia l d is a b ilit y\n                                                                                                            c la im s p r o c e s s in g\n                                                                                                                  tim e ( d a y s )\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                                                                                                                                                                                                C-3\n\x0cAverage Processing Time for Initial Disability Claims (DI and SSI)\n  \xe2\x80\xa2 Claimant contacts SSA through a field office (FO) visit, mail, or phone call\n     to the FO or tele-service center (TSC).\n  \xe2\x80\xa2 Through one of the above methods, SSA determines if the claimant is\n     eligible for Title II or Title XVI disability benefits.\n  \xe2\x80\xa2 If the claimant is not eligible for disability benefits, this process stops.\n     However if the claimant is eligible for disability benefits, their information is\n     recorded on the application forms and input into the Modernized Claims\n     System (MCS) for Title II benefits or into the Modernized Supplemental\n     Security Income Claims System (MSSICS) for Title XVI benefits.\n  \xe2\x80\xa2 The claimant\xe2\x80\x99s information is reviewed for non-medical eligibility and the\n     effective filing date is determined. Also, a non-medical determination is\n     made if possible and entered into the appropriate application.\n  \xe2\x80\xa2 A medical folder is created with form SSA-831 and is sent to the DDS.\n  \xe2\x80\xa2 Upon receipt, the DDS inputs the case on National Disability\n     Determination Service System (NDDSS), which interfaces with the\n     appropriate Title II and Title XVI applications.\n  \xe2\x80\xa2 DDS gathers and reviews medical evidence to make a medical\n     determination. Additional medical evidence is obtained from the claims\n     examiner if needed.\n  \xe2\x80\xa2 DDS makes a medical determination and inputs the information into\n     NDDSS and on form SSA-831.\n  \xe2\x80\xa2 The claim is approved or denied as appropriate and the medical portion of\n     the determination is adjudicated.\n  \xe2\x80\xa2 The case is closed on NDDSS and the medical determination is\n     transferred to the appropriate Title II and Title XVI applications.\n  \xe2\x80\xa2 If the non-medical determination was not input prior to the DDS review,\n     that will occur.\n  \xe2\x80\xa2 The medical folder is filed.\n  \xe2\x80\xa2 For Title II claims, MCS updates the Work Management System (WMS)\n     and form SSA-1418 updates the SSA Claims Control System (SSACCS)\n     with claim information.\n  \xe2\x80\xa2 Management Information Initial Claims Record (MIICR) reads the claims\n     information from WMS and SSACCS.\n  \xe2\x80\xa2 MIICR writes the data for completed claims to the MIICR master file.\n  \xe2\x80\xa2 MIICR Edit creates a file of completed claims on a weekly basis.\n  \xe2\x80\xa2 MIICR Calculation computes the processing time and determines if the\n     criteria has been met on a monthly basis.\n  \xe2\x80\xa2 MIICR Sort sorts the data by component, office, etc. on a monthly basis.\n  \xe2\x80\xa2 MIICR Summary produces a record of the summarized number of days\n     and counts for each processing time for each office.\n  \xe2\x80\xa2 The Initial Disability Claims Report that includes overall processing time\n     for Title II claims is produced on a monthly basis.\n  \xe2\x80\xa2 For Title XVI claims, the SSR is updated with the initial determination date\n     and the claim is routed to the Exception Control.\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                       C-4\n\x0c    \xe2\x80\xa2   The ZCXMAS file is created to re-circulate the data until the initial claims\n        are completed.\n    \xe2\x80\xa2   The ZCSTATS file is created when the end processing date is posted.\n    \xe2\x80\xa2   The ZSSICPT file is created to delivery the end of the line records or\n        completed claims to SIICR.\n    \xe2\x80\xa2   SSI Claims Report (SSICR) calculates the processing time and creates\n        the processing time report.\n    \xe2\x80\xa2   On a monthly basis, the overall processing time and total counts on the\n        Initial Disability Claims Report and Processing Time Report are input into\n        an Excel spreadsheet.\n    \xe2\x80\xa2   On an annual basis, the monthly processing times for Title II and Title XVI\n        are summed and the total monthly counts for Title II and Title XVI are\n        summed. The total processing time is divided by the count to produce the\n        average number of disability claims.\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                     C-5\n\x0cFlowchart of Average Processing Time for\nHearings (Days)\n   Determination\n    received by\n claimant (Initial or\n Reconsideration)\n\n\n\n\n      Request\n                         No                  End\n      hearing?\n\n\n        Yes\n\n Input into HOTS:\n   When request\n    received at\n  Hearing Office\n\n                                                      Dismissed\n                          No\n       Will\n   Administrative                                                                    Written decision\n    Law Judge                                                                        sent to claimant\n     conduct\n                                                    Pay on Record\n     hearing?\n                           No                      (Expedite without\n                                                       hearing)\n        Yes\n\n\n  Hearing is held\n   and case is\n    explained\n\n\n\n\n                                                                                    Decision letter and\n                                                                  Clerk enters\nAdministrative Law               Judge enters                                          a copy of the\n                                                                disposition date\n  Judge makes                    decision into                                      Administrative Law\n                                                               and mail date into\n    decision                        HOTS                                            Judge\xe2\x80\x99s decision is\n                                                                     HOTS\n                                                                                           sent\n\n\n\n\n                                                               Combine MAR for\nRegional database               Monthly Activity                                    MAR posted to the\n                                                                all locations to\n files sent to OHA                  Report                                             Intranet for\n                                                                generate Case\n and combined in                 produced by                                        Regional Offices to\n                                                                Load Analysis\n        HOTS                        HOTS                                                 review\n                                                                     Report\n\n\n\n\n           Performance Measure Calculation:\nCalendar Days from Hearing Request to Decision Mail Date\n              Total Number of Dispositions\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                                              C-6\n\x0cAverage Processing Time for Hearings (Days)\n  \xe2\x80\xa2 The claimant receives the determination.\n  \xe2\x80\xa2 The claimant may or may not request a hearing over the determination.\n  \xe2\x80\xa2 If the claimant requests a hearing, the request for hearing date is entered\n     into the HOTS application.\n  \xe2\x80\xa2 The ALJ may or may not conduct a hearing.\n  \xe2\x80\xa2 If the ALJ does not conduct a hearing, the claim is paid or dismissed.\n  \xe2\x80\xa2 Claimant receives the decision of the non-hearing in writing.\n  \xe2\x80\xa2 If a claimant does not receive a decision, a hearing is conducted by the\n     ALJ.\n  \xe2\x80\xa2 ALJ makes a decision.\n  \xe2\x80\xa2 ALJ enters the decision into HOTS.\n  \xe2\x80\xa2 The clerk enters the disposition date and mail date into HOTS.\n  \xe2\x80\xa2 The decision letter is sent to the claimant.\n  \xe2\x80\xa2 The HOTS files from the regional office are sent to OHA and combined\n     into HOTS.\n  \xe2\x80\xa2 The Monthly Activity Report (MAR) is produced by HOTS for the regional\n     office.\n  \xe2\x80\xa2 The case load analysis report is processed by HOTS from the combination\n     of the monthly MARs provided by each of the regional offices. The case\n     load analysis contains the calculation of the processing time.\n  \xe2\x80\xa2 The MAR is posted to the SSA Intranet for review by the regional offices.\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                C-7\n\x0c                                                               Appendix D\n\nAgency Comments\n\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)\n\x0c                                           SOCIAL SECURITY\n\nMEMORANDUM                                                                                      33296-24-1160\n\nDate:      October 1, 2004                                                                      Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Acting Inspector General\nFrom:      Larry W. Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report "Performance Indicator Audit: Processing\n           Time" (A-02-04-14072)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report\n           content and recommendations are attached.\n\n           Let me know if we can be of further assistance. Staff inquiries may be directed to\n           Candace Skurnik, Director, Audit Management and Liaison Staff on extension 54636.\n\n\n           Attachment:\n           SSA Response\n\n\n\n\n           Performance Indicator Audit: Employment for Disabled Beneficiaries (A-02-04-14068)                     D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT \xe2\x80\x9cPERFORMANCE INDICATOR AUDIT: PROCESSING TIME"\n(A-02-04-14072)\n\n\nThank you for the opportunity to review and comment on the draft report. We agree with\nthe recommendations that improved documentation and identification of all processes\nused to compute the reported data are necessary.\n\nWe disagree with the statement on page 4 that \xe2\x80\x9cSSA had not documented policies and\nprocedures related to the formal process to collect, review, and make available the\nperformance indicator data to Agency management.\xe2\x80\x9d The Management Information\nManual (MIM) II Chapters 8000-9000 include procedures for the field office (FO)\nprocessing time and the MIM IV Chapters 4100-4200 include procedures for the\nDisability Determination Services (DDS) processing time under the Management\nInformation Initial Claims Record (MIICR) and the Supplemental Security Income\nClaims Report systems. Under the Social Security Unified Management System\n(SUMS), we have documented procedures for Title XVI in the Supplemental Security\nIncome Processing Time Users Guide (updated March 2004). The Agency is in the\nprocess of converting Title II from MIICR to SUMS and will include the documented\nprocedures under SUMS when the conversion has been completed.\n\nWe disagree with the statements on page 5, paragraph 4, which support the\nrecommendation to report separate processing times for Title II and Title XVI. The\nparagraph states that "processing times differ between the two programs." Were there\nprogrammatic or legal differences, we would agree that separate reporting would be\nrelevant. However, the disability decision criteria, procedures, and evidentiary\nrequirements are fundamentally the same for both programs. Thus, that there may be\ndiffering processing times between the titles is coincidental and irrelevant. Accordingly,\nwe do not agree that providing details in the Performance and Accountability Report\n(PAR) about the mix of cases used in the calculation is relevant.\n\nOur responses to the specific recommendations are provided below.\n\nRecommendation 1\n\nMaintain the detailed data used to calculate the performance indicator results that are\nreported in the PAR and ensure this data is readily available for examination in\naccordance with Office of Management and Budget (OMB) Circulars A-123 and A-127.\n\nResponse\n\nWe agree. We are currently evaluating the costs involved in maintaining data beyond\nwhat the Agency already stores to support its operations. Storing additional data and,\n\n\n\nPerformance Indicator Audit: Processing Time (A-02-04-14072)                             D-2\n\x0cwhere necessary, retired legacy systems, to replicate data outcomes may prove to be too\ncostly. If that is the case, alternatives will be explored.\n\nRecommendation 2\n\nMaintain documentation that describes how the performance indicator goals were\nestablished, document the policies and procedures used to prepare and report results of\nthe performance indicators, and keep a complete audit trail.\n\nResponse\n\nWe agree. We are currently determining the best approach for maintaining documentation\nabout how performance indicators and related goals are established.\n\nRecommendations--Performance Indicator:\nAverage Processing Time for Initial Disability Claims\n\nRecommendation 3\n\nEnsure that SSA personnel do not have the ability, through inappropriate access, to\ndirectly modify, create or delete the datasets used to calculate the results of this indicator.\n\nResponse\n\nWe agree. Work within the Standardized Security Profile Project (SSPP) has ensured\nthat only an authorized batch job submitted through Control-M can directly modify,\ncreate, or delete the datasets used to calculate processing time for SSI Initial Disability\nClaims. SSPP work continues as SSA addresses remaining user accesses to ensure least\nprivilege is exercised.\n\nRecommendation 4\n\nMaintain all source code for all applications used to calculate the performance indicator.\n\nResponse\n\nWe agree. ENDEVOR currently houses and maintains all source code related to this\nmeasure.\n\n\n\n\nPerformance Indicator Audit: Employment for Disabled Beneficiaries (A-02-04-14068)         D-3\n\x0cRecommendation 5\n\nMaintain an audit trail that captures the user id or terminal, date and time of the\ntransaction being processed. Policies and procedures should be created to review the\naudit trail for inappropriate access to data or processing of transactions.\n\nResponse\n\nWe agree. Auditing features will be activated on all update access secondary User IDs\n(the only User IDs that will allow update access) as we further refine update access\nprivileges.\n\nRecommendation 6\n\nDisclose the impact on the mix of Title II and Title XVI claims and its impact on\ncombined processing time results reported in the PAR.\n\nResponse\n\nWe disagree. The workload mix would not always be relevant to the overall processing\ntime and would not be appropriate to include in the PAR. However, when the trend in\nthe workload mix changes significantly enough to impact processing time overall, we\nwill report the results in the PAR.\n\nRecommendation 7\n\nEnsure the correct data is input into the Title XVI application.\n\nResponse\n\nWe agree. The Agency currently takes proactive steps to ensure claims entered through\nthe normal application process are correct. There are FO and DDS procedures for the\nprocessing and quality review of the initial disability claims for both Titles II and XVI.\nFor example, the DDSs have documented procedures for preparing the final\ndetermination in POMS DI 26500 and documented guidelines for providing quality\nreview in POMS DI 30001.\n\nRecommendations--Performance Indicator: Average Processing Times for Hearings\n(Days)\n\nRecommendation 8\n\nEnsure the correct data is input into the HOTS system.\n\n\n\n\nPerformance Indicator Audit: Employment for Disabled Beneficiaries (A-02-04-14068)      D-4\n\x0cResponse\n\nWe disagree. Since the Hearing Office Tracking System (HOTS) has been replaced with\nthe Case Processing and Management System (CPMS), this recommendation is moot.\nAlthough CPMS cannot guarantee correct data input of 100 percent, CPMS has\nimplemented additional edits that were not previously part of the HOTS system. These\nedits should better ensure the quality of the data within the CPMS database.\n\nRecommendation 9\n\nStrengthen the security internal to the HOTS system to include security incident reports\nto track inappropriate access to data.\n\nResponse\n\nWe disagree. Since HOTS has been replaced with CPMS, this recommendation is moot.\nWe would note that access to CPMS is controlled by Top Secret Security profiles.\nIndividual profiles are managed by SSA component security officials. Security violations\nare written to an audit tracking file. These records include identifying information on the\nuser who attempted access and the SSN they were trying to access.\n\nAlthough HOTS will continue to be used for tracking OHA\xe2\x80\x99s Medicare workload, that is\nan interim workload, which we anticipate being transferred to the Centers for Medicare &\nMedicaid Services (CMS) by the end of fiscal year (FY) 2005.\n\nRecommendation 10\n\nStrengthen password parameters in HOTS to require users to change their passwords\nevery 60 days, to encrypt the passwords located in the user table, to lockout a password\nafter a set number of failed attempts, to create alphanumeric passwords, and to maintain a\npassword history.\n\nResponse\n\nSee response to Recommendation 9. Again, we note that CPMS utilizes SSA\xe2\x80\x99s\nEnterprise Security Interface (ESI). The issues raised are addressed by ESI.\n\nRecommendation 11\n\nReserve supervisory access in HOTS as the highest level of access and be granted on a\nleast privileged basis.\n\nResponse\n\nSee response to Recommendation 9.\n\n\n\nPerformance Indicator Audit: Employment for Disabled Beneficiaries (A-02-04-14068)     D-5\n\x0cRecommendation 12\n\nEnsure claims that are required to be opened are logged and reviewed by management.\n\nResponse\n\nWe agree. CPMS adheres to the Agency\'s standards for security, access and passwords.\nAccordingly, the concern stated above is addressed by using these standards. Further, we\nnote however, for non-Medicare cases, CPMS does not allow reopening of cases.\n\nRecommendation 13\n\nMaintain an audit trail that captures the user id or terminal, date and time of the\ntransaction being processed. Policies and procedures should be created to review the\naudit trail for inappropriate access to data or processing of transactions.\n\nResponse\n\nSee responses to Recommendations 5 and 12.\n\nRecommendation 14\n\nEnsure that the contingency plan is completed and approved by management.\n\nResponse\n\nWe agree. As the report notes, there is a draft plan maintained by OHA, Falls Church. It\nis currently in the review process.\n\nRecommendation 15\n\nEnsure that Windows 2000 is configured to be in compliance with the SSA Risk Model\nand government guidelines from NIST and the DISA Windows 2000 Security Checklist,\nVersion 3.1.11.\n\nResponse\n\nWe agree in part. We agree that WINDOWS 2000 should be configured to be in\ncompliance with the Risk Model. SSA\xe2\x80\x99s monitoring program scans for noncompliance\nand configurations are corrected, where needed. We will re-review National Institute of\nStandards and Technology (NIST) Guidelines ensure that we have incorporated all\npracticable elements into our Risk Model.\n\nRegarding the inclusion of Defense Information Systems Agency (DISA) guides in the\nrecommendation, DISA is charged with providing total information systems management\nfor the Department of Defense (DoD). Its charter has always been focused on DoD\n\n\nPerformance Indicator Audit: Employment for Disabled Beneficiaries (A-02-04-14068)     D-6\n\x0cservice. There has not been a directive for non-DoD agencies to follow DISA standards.\nSSA complies with all regulations and guidance issued by NIST and OMB. These are the\nrequirements that guide civilian agencies. SSA will continue to comply with all\ndirectives for information systems security management issued for the civilian sector.\nOccasionally, SSA elects to follow a DISA standard and adopts it as a best practice for\nthe Agency. But, this is not required; it is just an example of SSA\xe2\x80\x99s diligence in\nprotecting systems and data.\n\n\n[SSA also provided technical comments, which have been addressed in this\nreport, as needed.]\n\n\n\n\nPerformance Indicator Audit: Employment for Disabled Beneficiaries (A-02-04-14068)   D-7\n\x0c                   Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                     Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                     Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                                Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'